linux-malware-detect icon indicating copy to clipboard operation
linux-malware-detect copied to clipboard

Published 20 hours ago verified publisher icon rfxn

Possible modsec.sh false positives - where to find malware files?

Open slrslr opened this issue 7 years ago • 0 comments

Hello,

i think that the the /usr/local/maldetect/modsec.sh is detecting malware where there is no malware

My rule: SecRequestBodyAccess On SecTmpSaveUploadedFiles On SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" "log,auditlog,deny,severity:2,phase:2,t:none,id:99587,msg:'Malware found by LMD.'"

Example possible false positives:

PHPBB

Request: POST /posting.php?mode=post&f=158&sid=1723f136a42fbf6c60b64d55df361682 Action Description: Access denied with code 406 (phase 2). Justification: File "/tmp//20170925-104111-WcjdR5teQx0AAG8H4tsAAAAE-file-azPlYR" rejected by the approver script "/usr/local/maldetect/modsec.

HY$Pmonitor

Request: POST /admin.php?a=edit_listing&lid=2441&gid=0&p= Action Description: Access denied with code 406 (phase 2). Justification: File "/tmp//20170925-090451-WcjGs5teQx0AAAbNnyQAAAAY-file-blQfR6" rejected by the approver script "/usr/local/maldetect/modsec.

Detail of one possible false positive: https://pastebin.com/ycc0j0vE

Please where can i find that "/tmp//20170925****" files now to look into them? It is not in maldetect/quarantine nor /tmp /var/tmp nor in /usr/local/maldetect/pub/*/quar/ (though directories, event_log exists). Some old malware files are in /usr/local/maldetect/quarantine.

$ maldet -v

Linux Malware Detect v1.6.2 signature set: 201708255569

$ cat hookscan.sh|grep =

file="$1" inspath='/usr/local/maldetect' intcnf="$inspath/internals/internals.conf" quarantine_hits=1 quarantine_clean=0 scan_tmpdir_paths='' hscan=1 isclamd=pidof clamd 2> /dev/null clamd_scan=1 clamd_scan=0 hookcnf="$inspath/conf.maldet.hookscan" cd /tmp ; $inspath/maldet --hook-scan --config-option quarantine_hits=$quarantine_hits,quarantine_clean=$quarantine_clean,tmpdir=/var/tmp,scan_tmpdir_paths=$scan_tmpdir_paths,scan_clamscan=$clamd_scan -a "$file"

$ echo "test file" > /tmp/test.php $ cd /tmp ; /usr/local/maldetect/maldet --config-option quar_hits=1,quar_clean=0,tmpdir=/var/tmp,scan_tmpdir_paths='',scan_clamscan=1 --hook-scan -a "/tmp/test.php"

maldet(7435): {scan} setting maximum execution time for 'find' file list: 14400sec 1 maldet: OK

scan_user_access="1" newest ModSecurity, SuPHP, Apache 2.2, PHP 5.3

If anyone is willing to take a look on this, please kindly let me know. Thank You

slrslr avatar Sep 25 '17 11:09 slrslr